PatchSiren cyber security CVE debrief
CVE-2025-6377 Rockwell Automation CVE debrief
A remote code execution vulnerability exists in Rockwell Automation Arena simulation software versions 16.20.08 and earlier. The flaw stems from an out-of-bounds write condition when processing DOE (Design of Experiments) files, which can be exploited to execute arbitrary code. Exploitation requires user interaction—a legitimate user must open a maliciously crafted DOE file. The vulnerability was disclosed in CISA advisory ICSA-24-345-06 Update B on February 3, 2026, adding CVE-2025-6377 to an existing advisory that was initially published December 10, 2024. Rockwell Automation has released version 16.20.09 to address this issue.
- Vendor
- Rockwell Automation
- Product
- Arena
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2026-02-03
- Advisory published
- 2024-12-10
- Advisory updated
- 2026-02-03
Who should care
Organizations using Rockwell Automation Arena for discrete event simulation in industrial environments, particularly those exchanging DOE files externally or with supply chain partners. OT security teams and asset owners in manufacturing, logistics, and process industries where Arena models are deployed.
Technical summary
CVE-2025-6377 is an out-of-bounds write vulnerability (CWE-787) in Rockwell Automation Arena's handling of DOE files. The vulnerability allows a threat actor to write beyond allocated memory boundaries, potentially achieving arbitrary code execution. The attack vector is local (AV:L) with high attack complexity (AC:H) and requires user interaction (UI:R)—specifically, a legitimate user must execute a malicious DOE file crafted by the attacker. Despite the local attack vector, the impact is severe with high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The vulnerability affects Arena versions 16.20.08 and earlier. Rockwell Automation released version 16.20.09 as a fix. Interim mitigations include avoiding untrusted files and using the Control key during file load to suppress VBA execution.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Rockwell Automation Arena version 16.20.09 or later.
- Avoid opening untrusted Arena model files, particularly DOE files from unknown sources.
- Hold the Control key when loading files to prevent VBA file stream execution as a temporary mitigation.
- Implement Rockwell Automation security best practices for industrial control systems.
- Apply CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization.
Evidence notes
CVE published 2024-12-10; advisory updated 2026-02-03 to add CVE-2025-6377 per revision history. CVSS 3.1 score 7.0 (HIGH) with vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected product: Rockwell Automation Arena <=16.20.08. CWE-787 (Out-of-bounds Write) identified.
Official resources
-
CVE-2025-6377 CVE record
CVE.org
-
CVE-2025-6377 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10